Code snippets to add on top of cobalt strike sleepmask kit so that ekko can work in a CFG protected process.
All credits to @Icebreaker
Usage
- Enable ekko sleep in sleepmask kit
- Include cfg.c
- Add below codes before ekko sleep
PVOID NtContinue = KERNEL32$GetProcAddress(KERNEL32$GetModuleHandleA("ntdll.dll"),"NtContinue");
//PVOID NtContinue = NTDLL$NtContinue; //<-- this should be the same as above
if (!markCFGValid_nt(NtContinue))
{
return;
}
- Put cfg.c in folder
- Append the contents in bofdefs.h
- Compile
Caveat
- Sleep 0 will terminate the process, meaning that socks cannot be used (However, if interactive process is needed, its pointless to use ekko, just revert back to use original sleep)